Install ModSecurity WAF on OpenStack controller

Install ModSecurity WAF on OpenStack controller

Web services running on OpenStack controllers, especially the ones exposed to the Internet, may be vulnerable to various types of web-based attacks. One of the most dangerous attack vectors are injection attacks, rated as the number one in the OWASP top ten. Exploiting this type of vulnerabilities may lead to data loss or corruption (tampering), lack of accountability repudiation), DoS, or, in some scenarios, complete host takeover (EoP) leading to cluster compromise.

Whenever possible, use Web Application Firewall (WAF) to add additional layer of security to prevent web attacks. ModSecurity is an open source WAF implementation for the Apache web server able to protect from the multiple type of attacks including SQL injections.

Follow the steps below to install ModSecurity 2.9.1 with the OWASP core ruleset (https://github.com/SpiderLabs/owasp-modsecurity-crs) on Ubuntu 14.04.

The default installation will enforce base rule protection on all local OpenStack services: Keystone, Horizon, Zabbix, and RadosGW, if present.

  1. Install the required packages:

    sudo apt-get update && sudo apt-get upgrade
    sudo apt-get install --yes libyajl-dev libxml2
    libxml2-dev liblua5.1 apache2-prefork-dev git
    
  2. Enable unique_id for Apache. It adds the magic token for each request which is guaranteed to be unique. The environment variable UNIQUE_ID is set to the identifier for each request.

    sudo a2enmod unique_id
    sudo service apache2 restart
    
  3. Download ModSecurity and compile it with JSON support, which is required for Keystone protection:

    cd ~
    wget https://www.modsecurity.org/tarball/2.9.1/modsecurity-2.9.1.tar.gz
    tar xvzf modsecurity-2.9.1.tar.gz
    cd modsecurity-2.9.1/
    ./configure --with-yajl="/usr/lib/x86_64-linux-gnu /usr/include/yajl"
    sudo make
    sudo make install
    
  4. Create the module configuration files:

    sudo touch /etc/apache2/mods-available/security2.conf
    echo -e "<IfModule security2_module>\n\tSecDataDir
    /var/cache/modsecurity\n\tIncludeOptional/etc/modsecurity/*
    .conf\n</IfModule>" >
    /etc/apache2/mods-available/security2.conf
    #sudo touch /etc/apache2/mods-available/security2.load
    echo -e "LoadFile libxml2.so.2\nLoadModule security2_module
    /usr/lib/apache2/modules/mod_security2.so" >
    /etc/apache2/mods-available/security2.load
    sudo mkdir -p /etc/modsecurity/
    sudo cp modsecurity.conf-recommended unicode.mapping /etc/modsecurity/
    sudo mv /etc/modsecurity/modsecurity.conf{-recommended,}
    
  5. Enable the ModSecurity module:

    sudo a2enmod security2
    sudo service apache2 restart
    

    Warning

    The command below will turn on the ModSecurity engine with base rules for all sites on the given host. Verify that the sites are not blocked by the rules due to the false positives. Test this before deploying to production.

    sudo sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/'
    /etc/modsecurity/modsecurity.conf
    
  6. Download and install the OWASP core rule set:

    cd /tmp
    git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
    sudo cp -r owasp-modsecurity-crs/* */etc/modsecurity/
    sudo cp /tmp/owasp-modsecurity-crs/modsecurity_crs_10_setup.conf.example
    /etc/modsecurity/modsecurity_crs_10_setup.conf
    sudo sed -i '$iIncludeOptional "/etc/modsecurity/activated_rules/*.conf"'
    /etc/apache2/mods-available/security2.conf
    
  7. Enable the rules:

    • Option 1: Enable only the rules for the SQL injection attack:

      sudo ln -s
      /etc/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
      /etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf
      
    • Option 2: Enable all base rules:

      sudo ls /etc/modsecurity/base_rules | xargs -I {} sudo ln -s
      /etc/modsecurity/base_rules/{} /etc/modsecurity/activated_rules/{}
      

    Note

    Optional rules customization for Zabbix and Horizon is necessary because otherwise ModSecurity can block access. Add the additional file /etc/modsecurity/horizon.conf with the following content:

     <LocationMatch "/horizon/">
           SecRuleRemoveById 981318
     </LocationMatch>
    
    <LocationMatch "/zabbix/">
          SecRuleRemoveById 981318
    </LocationMatch>